Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 2351 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webfiltering makes LAN for guests accessible

prody85
Hello

I have a Sophos UTM home edition running. It's mostly running well down to one point, that doesn't work the way it should.

To the setup.
I have 3 interfaces.
1x External (WAN)
2x Internal (1x LAN / 1x Guest)

Now, as long as I'm using webfiltering only for one of the two internal networks, everything is good. The guest network cannot get to the LAN portion of the network.
As soon as I add the guest network to the webfiltering, it makes devices on the guest network able to get to devices on the LAN as long as you know the IP address of the devices on there - which is unacceptable.

I've been trying all kinds of things and been binging around a lot - but not found a solution for this. 
At the time, either I leave one of the two internal networks unfiltered and the networks are separated, so not one from one network can get to the other - or - I have both internal networks be filtered, but devices from one network can access devices on the other network.

I've set the webfilter to run the transparent mode - don't want to use the standard mode.

Does anyone know how I can make it possible, that both internal (lan / guest) are filtered without opening them up to each other?

Thanks

Mike


This thread was automatically locked due to age.
  • 0
    Can you create a firewall rule to block access between guest and LAN?
  • 0 in reply to Arie
    I tried that - didn't help.

    As I said - the two networks are separate until I filter both of them. Filtering seems to create a 'hole' between the two internal networks.
  • 0
    That's disconcerting... 

    Have you tried VLANs? Subnets?
  • 0
     that doesn't work the way it should
    It works as intended.

    The order of processing for firewall rules is as follows:
    Country Blocking
    NAT
    Proxies
    Manual Firewall

    Websites on separate internal networks are the same as websites on the internet, so by adding a network to the proxy, you are allowing access through the proxy.

    You can add sites you are hosting on separate networks to the blocklists in Filter Actions or create Blackhole DNATs.
  • 0 in reply to Arie
    VLANs shouldn't matter, since I'm using 2 different interfaces...
    All interfaces are in different subnets.

    Let me try 'drawing it out' for you.

    When only one interface / network is being filtered:

                                         _____________________________
                                       |                Sophos UTM                   |
      WAN interface ---------| Firewall, NAT, ===> Webfiltering   |
                                       |______________|______________|
                                               |                                 |
                                               |                                 |
                                      Interface Guest              LAN interface
                                        (unfiltered)                    (filtered)

                                                        
                                          the two cannot talk to each other



    When both interfaces / networks are being filtered:

                                         _________________________
                                       |                Sophos UTM           |
      WAN interface ---------|           Firewall, NAT, etc.        |
                                       |                       ||                    |
                                       |                       \/                    |
                                       |               Webfiltering             |
                                       |_________________________|
                                                  /                       \
                                                 /                         \
                                                /                           \
                                               /                             \
                                      Interface Guest          LAN interface
                                        (filtered)                    (filtered)

                                                        
                                          the two can talk to each other






    What I'm trying to do: (and which I'm not able to get done)

                                         _________________________
                                       |                Sophos UTM           |
      WAN interface ---------|           Firewall, NAT, etc.        |
                                       |                       ||                    |
                                       |                       \/                    |
                                       |               Webfiltering             |
                                       |_________________________|
                                                  /                       \
                                                 /                         \
                                                /                           \
                                               /                             \
                                      Interface Guest          LAN interface
                                        (filtered)                    (filtered)

                                                        
                                          the two cannot talk to each other


    Hope that makes sense.

    Mike
  • 0 in reply to Scott_Klassen
    Scott

    The order of the processing of firewall rules is some valuable information.

    I'll give it a shot.

    Thanks

    Mike
  • 0
    Hi mike,

    just add internal networks to the "Skip transparent mode destination hosts" and uncheck "Allow HTTP/S traffic for listed hosts/nets".

    Regards
    mod
  • 0
    Hi, Mike, and welcome to the User BB!

    You can request a copy of a document I maintain, "Configure HTTP Proxy for a Network of Guests," by clicking on my name beside the Cyrano avatar and sending me an email.  Available in English und auch auf Deutsch.

    Cheers - Bob
  • 0 in reply to mod2402
    Hi mike,

    just add internal networks to the "Skip transparent mode destination hosts" and uncheck "Allow HTTP/S traffic for listed hosts/nets".

    Regards
    mod


    I had tried that but it didn't help...


    Right now I've implemented filters to block one network from the other - it works, but I whish there was a better solution - I'll look into the HTTP Proxy and Blackhole DNATs and hope that that'll work nicer.
  • 0 in reply to prody85
    I had tried that but it didn't help...


    That's strange. In all my implementations, I've done that in this way and it's working as expected. Maybe, there is a misconfiguration at another place.

    You can do additional steps for blocking the communication in standard mode. I think these steps are declared in Bobs document. 

    Regards
    mod